When responding to a crisis, it’s important to be fast—and accurate.
When Panera Bread executives learned that reporters had discovered a security flaw in its website that had potentially leaked millions of customer accounts—including names, home addresses and the last four digits of credit cards—the company immediately patched the site and reached out to news outlets.
Even when security analysts first notified Panera of the problem, its response was tepid. Security reporter Bran Krebs detailed how the company had responded to reports that its site was vulnerable.
KrebsOnSecurity learned about the breach earlier today after being contacted by security researcher Dylan Houlihan, who said he initially notified Panera about customer data leaking from its Web site back on August 2, 2017.
A long message thread that Houlihan shared between himself and Panera indicates that Mike Gustavison, Panera’s director of information security, initially dismissed Houlihan’s report as a likely scam. A week later, however, those messages suggest that the company had validated Houlihan’s findings and was working on a fix.